Not so long ago, Amazon Alexa and Google Home users got a pretty good idea about their privacy after the revelation that both the companies routinely use human contractors for transcribing the voice commands.
Now, researchers at Germany’s Security Research Labs proved that “not only the manufacturers but… also hackers can abuse those voice assistants to intrude on someone’s privacy.”
The whitehat hackers from the research team eavesdropped on conversations and phished sensitive passwords via abusing the backend provided by the Amazon and Google for the digital assistant apps.
It’s was noted that developers use these backends to manipulate the actions and commands to which the Amazon Alexa and Google Home respond.
Google Home and Amazon Alexa hacked
By manipulating the commands on very ordinary-looking apps, the team was able to introduce long periods of silence to which the user believes that the assistant has shut down.
For phishing sensitive information, the researchers demo the example of horoscope app which includes simple commands like what’s my horoscope.
When the victim tries to invoke the command, the device would turn up with an error. The idea is to trick the victim into believing that the app has failed. But in reality, the app has only taken a long pause that the team managed to add in the backend.
Once the pause is over, the app would ask for sensitive information tricking victims into believing that the assistant itself is asking for it.
The researchers follow a similar approach for eavesdropping conversations. After the user is deceived into believing that the action is over, the hacker would introduce multiple long pauses to keep listening to the conversation.
Amazon and Google change their approval process
The security researchers Luise Frerichs and Karsten Nohl were only able to demonstrate the hack due to holes in Google’s and Amazon’s app vetting process.
After SRLabs privately reported the findings earlier this year, both the companies removed the apps and decided to improve the approval process.
Amazon has decided to “put mitigations in place to prevent and detect this type of skill behavior.” Meanwhile, Google also said to introduce “additional mechanisms in place to prevent these issues from occurring in the future.”
Interestingly, this is not the first time Amazon Alexa and Google Home commands have been misused for eavesdropping. We witnessed a similar kind of approach in Alexa, back in April 2018.